Computer Security as an Integral Element of Sound Management - Literature review Example

? Digital Security Introduction Digital security basically means the protection of one’s digital identity, which is the internet or network equivalent of an individual’s physical identity. Digital security covers various areas which include computers and internet, telecommunications, retail and financial transactions, travel and transportation, health care and secure access. Digital security comprises of tools that an individual or user uses in securing his or her identity, technology and assets in the mobile and online world. These tools might be in the form of biometrics, web services, anti-virus software and secure personal devices that people carry with them every day. Digital security devices include secure personal devices such as SIM cards, smart-card based USB tokens, e-passports, secure chips in contactless payment cards, and they give an individual the freedom to shop, communicate, travel, work and bank using his or her digital identity in a manner that is enjoyable, convenient and secure. Therefore, digital security is of utmost important since a lot of information is available on the various digital platforms. Some is personal or private information and some is extremely sensitive information. Therefore, any person or firm needs to put in place security measures that ensure that the security of systems is not breached. This paper examines computer security principles, cryptology and its associated applications and secure software engineering. Computer Security Principles There are many methods and approaches that are used to secure computer systems. However, specific intrinsic expectations have to be met regardless of whether the system is large or small, or is owned by a private organization of by a government. Therefore, there exists generally accepted system security. These principles usually address computer security from an extremely high-level point, and are to be applied when developing computer security policy and programs, and in the creation of new systems, policies and practices (Guttman & Swanson, 1996). Thus, practices encompass broad areas such as accountability, integration and cost-effectiveness. Principles differ from practices in the sense that the latter guides organizations on the types of objectives, procedures and controls that constitute an effective computer security program. Principle 1: Computer Security Supports the Organization’s Mission The aim of computer security is to protect the valuable resources of an organization. These include software, hardware and information. By selecting and applying adequate safeguards, computer security supports a firm’s mission by protecting its financial and physical resources, legal position, reputation, employees and other intangible and tangible assets (NIST, 1995). Sometimes security can be viewed as a nuisance due to the rules and procedures that are imposed on systems, users and managers. However, well-chosen security procedures and rules are there to protect significant assets as well as support the overall mission of the firm. As such, security should be viewed as a means to an end, and not an end in itself. Take an example of a private business. Usually, making profit is primary while good security is secondary. Therefore, security should be able to support this primary goal of making profit. Principle 2: Computer Security is an Integral Element of Sound Management Information and computer systems are crucial assets that support an organization’s mission. Protecting these systems is as important as the protection of other organizational resources such as employees, physical assets and money. It should be observed that the inclusion of security considerations in managing computers and information does not totally eradicate the possibility that the assets might be harmed. According to Hayden & Feringa (2004), this is why the managers of an organization have to decide the level of risk that they are ready to accept, taking into the account the costs associated with security controls. When a firm’s computer and information systems are connected to external systems, the management’s responsibilities extend beyond the firm. This means that management should know the type of security used on the external systems and seek assurance that the external system offers appropriate security for the firm’s needs. Principle 3: Computer Security Should be Cost-Effective The benefits and costs of security have to be carefully evaluated in both non-monetary and monetary terms so as to make sure that the expected benefits are not exceeded by the cost of controls. Security needs to be adequate as well as proportionate to the degree of and value of reliance on computer systems, and to the probability, extent and severity of likely harm. Security requirements vary depending on a specific computer or IT system. What this basically means is that security is a smart business practice. Lampson (2006) observes that a firm which invests in security measures reduces the severity and frequency of computer security-related losses. For instance, a firm may estimate that it experiences huge losses every year in inventory through fraudulent manipulation of the system. By adopting a security measure such as an improved access control system, these losses can be reduced significantly. Principle 4: Systems Owners have security Responsibilities Outside their Own Organizations If a computer system comprises of external users, the system owners have a duty to share adequate knowledge about the existence and general level of security measures so that other users can be sure that the system is appropriately secure. In addition to sharing security information, managers of firms have to act in a coordinated and timely manner so as to prevent and respond to security breaches so as to prevent damage to others (NIST, 1995). Principle 5: Computer Security Responsibilities and Accountability Should be Made Explicit The accountability and responsibility of those people involved in computer security systems should be explicit. This includes providers, owners and users of computer systems. Depending on the firm’s size, the computer security program may be small or large, or even a collateral duty of another management official. According to Brown & Stallings (2100), organizations have to prepare documents that state the firm’s policy as well as make computer security responsibilities explicit. For instance, quite a number of information dissemination systems do not need user identification, or employ other technical means of identifying the user, and thus cannot hold users accountable. Principle 6: Computer Security Requires a Comprehensive and Integrated Approach In order to provide effective computer security, a comprehensive approach that considers a variety of areas both outside and within the computer security field is essential. This comprehensive approach should extend through the entire life cycle of information. For them to work effectively, security controls usually rely on the proper functioning of other controls. Several interdependencies exist, and without a proper understanding of these interdependencies, security controls can be compromised (Guttman & Swanson, 1996). Security control effectiveness also relies on factors such as legal issues, system management, quality assurance and internal and management controls. Principle 7: Computer Security Should be Periodically Assessed Computers operate in dynamic environments. System technology and users, information and data in the systems, risks associated with the system, and security requirements keep on changing. These changes include technological developments, connection to external networks, the emergence of new threats or a change in the use or value of information (Lampson, 2006). Also, security is never a perfect when a system is implemented. Operators and system users discover new ways of unintentionally or intentionally subverting or bypassing security. Changes in the environment or system create new vulnerabilities. Therefore, these issues create the need for periodic reassessment of the security of IT systems. Principle 8: Computer Security is Constrained by Societal Factors Various factors might limit ability of security to support a firm’s mission. One of these factors is social issues. For instance, workplace privacy and security can conflict. On a computer system, security implementation is through identification of users and the tracking of their actions (Brown & Stallings, 2011). However, privacy expectations can be violated in the process. In addition to privacy, transparency is another societal issue that conflicts with security. For example, while government is expected to be transparent to its citizens, this transparency can create vulnerabilities in the system. Therefore, computer security and societal factors do often interact. Cryptology and Associated Applications In ancient times, Julius Caesar would send messages to his generals through messengers. However, Caesar did not trust his messengers and so he would replace A with a D, B with an E in his messages, and so on through the alphabet. It is only a person who knew the Shift by 3 rule who could decipher these messages (Goyal, 2012). History aside, this can be termed as the origins of encryption and decryption. Information that can be read and understood without the need for special measures is known as plain text or clear text. The method that is used to disguise plain text in a manner that its substance is hidden is known as encryption. When plain text is encrypted, an unreadable gibberish known as cipher text is produced. The process of reversing this cipher text to the original plain text is known as decryption. Therefore, cryptography is the science of using mathematics to encrypt and decrypt data. It is an applied mathematics division that develops formulae and schemes to improve communications’ privacy by using codes (Knebl & Delfs, 2007). As such, it enables its users, whether military, individuals, businesses or governments to maintain confidentiality and privacy in their communications. Typically, it involves creating and analyzing protocols that prevail over the impact of adversaries, and which are connected to different aspects in information and computer security. There are different kinds of cryptography. There is a receiver, sender, intruder of information and cryptographic tool that inhibits intruder from trespass or accessing sensitive information. Types of Cryptography Public key cryptography involves 2 pairs of keys, one which is for encryption and another for decryption. The key employed for encryption is a public key and distributed while the private key is used for decryption. Key escrow cryptography is a technology that permits the application of strong encryption, but also permits the obtaining of description keys that are held by escrow agents. Translucent cryptography allows governments to decrypt some of its messages but not all (Knebl & Delfs, 2007). As such, only p fraction of the message can be decrypted while the 1-p cannot be decrypted. The advantage of this method over the key escrow is that the entire information is not at security risk. Finally, the symmetric key cryptography uses the same key for decoding and encoding information. The sender and recipient of information share the same key and keep information secret by preventing information access from outside (Goyal, 2012). Applications of Cryptography One application of cryptography is secure message transmission using proxy-signcryption. The proxy signature schemes permit proxy signers to sign messages on behalf of an original signer, an organization or a company. The integration of signcryption public key and proxy signature paradigms offers secure transmission (Goyal, 2012). It is efficient in terms of communication and computation costs. Second, it helps in monitoring communication. It offers tremendously robust encryption such that it is capable of impeding government efforts to legitimately undertake electronic reconnaissance. Third, it facilitates fractional observing of data especially in cases where the sender wants only part of the information to be monitored but not all (Knebl & Delfs, 2007). Fourth, it enables the transfer of files on the network. Files that are exchanged between users on a network have to be protected against malicious attackers or intruders. Cryptography facilitates this protection. Finally, cryptography makes use of certificates and authentication to ensure computer security. Secure Software Engineering According to ISSECO (2013), secure software engineering is becoming increasingly a critical component of software quality, especially with the development of the internet. While measures in computer security can provide fundamental protection for the main areas of a firm’s computer systems, secure software is vital in establishing a totally secure business environment. As such, each and every software developer needs to take security into account since customers have to trust the software created. Hans (2007) observes that software that is developed with security in mind is more resistant to both intentional attacks and unintentional failures. Software’s security is threatened at different points in its life cycle. This is both by intentional and advertent choices and actions by insiders who are persons that have a close affiliation with the firm that is producing, operating, deploying or maintaining the software. Both real-world experience and research indicate that correcting vulnerabilities and weaknesses the earliest possible in the lifecycle of the software is much more cost-effective over the software’s lifetime, than creating and releasing regular security patches for already deployed software. Fitting security mechanisms into a pre-existing design at a later stage leads to design challenges that ultimately translate into software vulnerabilities. Therefore, security is an essential property from the start of the system’s life cycle which is the needs and requirement definition, all the way to its end which is retirement (Haridas, 2007). Therefore, there needs to be security in requirements phase, security in design phase, security in implementation phase and security in testing phase. In SDLC, problems are as a result of inappropriate requirements analysis. Therefore, security features need to be planned at the requirement phase. This includes specifying the detailed requirements of a particular system with respect to security policy. In the design phase, the system must be coherent and present a unified security architecture that takes security into account. Architects, designers and analysts need to clearly document assumptions and identify possible attacks. According to Haridas (2007), during the implementation phase, a secure programming language should be used so as to minimize security errors. At the same time, secure coding guidelines and standards have to be followed. Security teams need to perform code walkthroughs with developers in order to obtain a general understanding of the code. During the testing phase, various tests need to be conducted so as to check the security aspects of the software that is being developed. A good testing program needs to engage the security team that predominantly comprises of the development team itself. References Brown, L. & Stallings, W. (2011) Computer Security: Principles and Practice. New Jersey: Pearson College Division. Goyal, S. (2012) A Survey on the Applications of Cryptography. International Journal of Science and Technology, Vol. 1, No. 3, pp. 137-140. Guttman, B. & Swanson, M. (1996) Computer System Principles. National Institute of Standards and Technology, September 1996, pp. 1-60. Hans, K. (2007) Cutting Edge Practices for Secure Software Engineering. International Journal of Computer Science and Security, Vol. 4. No. 4, pp. 403-409. Haridas, N. (2007) Software Engineering-Software as a Process in the SLDC. SANS Institute Infosec Reading Room, April 2007, pp. 1-27. Hayden, C. & Feringa, A. (2004) Computer Security. NIST Special Publication 800-27 Rev A, June 2004, pp. 1-35. ISSECO. (2013) International Secure Software Engineering Council. Retrieved from http://www.isseco.org/ Knebl, H. & Delfs, H. (2007) Introduction to Cryptography: Principles and Applications. New York: Springer. Lampson, B. (2006) Practical Principles for Computer Security. Microsoft Research, August 2006, pp. 1-47. National Institute of Standards and Technology. (1995) An Introduction to Computer Security: The NIST Handbook. Special Publication 800-12, 1995, pp. 1-24. Read More